The following is my search query :-
index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(host) as hosts
Also is there any way that I can see all the sources per host in which my search string satisfies?
Probably the best way to identify Windows hosts at search time would be to use tags. Settings -> Tags. Be sure to adjust permissions as required in your use case.
A more dynamic, but also more "expensive", method would be to use a subsearch on the _internal index:
index=* [
search index=_internal os=Windows sourcetype=splunkd |
stats count by hostname | rename hostname as host | fields host ] |
stats values(source) as sources by host
EDIT to add regex command:
index=* [
search index=_internal os=Windows sourcetype=splunkd |
stats count by hostname | rename hostname as host | fields host ] |
regex _raw!=".2016-\d{2}-\d{2}." |
stats values(source) as sources by host
Probably the best way to identify Windows hosts at search time would be to use tags. Settings -> Tags. Be sure to adjust permissions as required in your use case.
A more dynamic, but also more "expensive", method would be to use a subsearch on the _internal index:
index=* [
search index=_internal os=Windows sourcetype=splunkd |
stats count by hostname | rename hostname as host | fields host ] |
stats values(source) as sources by host
EDIT to add regex command:
index=* [
search index=_internal os=Windows sourcetype=splunkd |
stats count by hostname | rename hostname as host | fields host ] |
regex _raw!=".2016-\d{2}-\d{2}." |
stats values(source) as sources by host
by the above search I am able to see all the windows hosts and sources which is good. But I want to see the hosts and sources which satisfies the search string " index=* | regex _raw!=".2016-\d{2}-\d{2}." and then I need to filter the results by your search string . so is there any way that I can get the results by using both the search strings.
add your regex command before the stats command: index=* [
search index=_internal os=Windows sourcetype=splunkd |
stats count by hostname | rename hostname as host | fields host ] |
regex _raw!=".2016-\d{2}-\d{2}." | stats values(source) as sources by host
index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats list(source) as sources by host
Try this
index=* | regex _raw!=".2016-\d{2}-\d{2}." | stats values(sources) as sources by host